Arizona’s Data Breach Statute, Part 1/2.

teal volkswagen beetle

Arizona’s data breach statute is divided into two sections of the relevant code. This is part 1/2.

Link to

18-551. Definitions


In this article, unless the context otherwise requires:

1. “Breach” or “security system breach”:

(a) Means an unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information regarding multiple individuals.

(b) Does not include a good faith acquisition of personal information by a person’s employee or agent for the purposes of the person if the personal information is not used for a purpose unrelated to the person and is not subject to further unauthorized disclosure.

2. “Court” means the supreme court, the court of appeals, the superior court, a court that is inferior to the superior court and a justice court.

3. “Encrypt” means to use a process to transform data into a form that renders the data unreadable or unusable without using a confidential process or key.

4. “Individual” means a resident of this state who has a principal mailing address in this state as reflected in the records of the person conducting business in this state at the time of the breach.

5. “Nationwide consumer reporting agency”:

(a) Means a consumer reporting agency that compiles and maintains files on consumers on a nationwide basis as defined in 15 United States Code section 1681a(p).

(b) Does not include a nationwide specialty consumer reporting agency as defined in 15 United States Code section 1681a(x).

6. “Person”:

(a) Means a natural person, corporation, business trust, estate, trust, partnership, association, joint venture, government or governmental subdivision or agency or any other legal or commercial entity.

(b) Does not include the department of public safety, a county sheriff’s department, a municipal police department, a prosecution agency or a court.

7. “Personal information”:

(a) Means any of the following:

(i) An individual’s first name or first initial and last name in combination with one or more specified data elements.

(ii) An individual’s user name or e-mail address, in combination with a password or security question and answer, that allows access to an online account.

(b) Does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

8. “Prosecution agency” means the attorney general, a county attorney or a municipal prosecutor.

9. “Redact” means to alter or truncate a number so that not more than the last four digits are accessible and at least two digits have been removed.

10. “Security incident” means an event that creates reasonable suspicion that a person’s information systems or computerized data may have been compromised or that measures put in place to protect the person’s information systems or computerized data may have failed.

11. “Specified data element” means any of the following:

(a) An individual’s social security number.

(b) The number on an individual’s driver license issued pursuant to section 28-3166 or nonoperating identification license issued pursuant to section 28-3165.

(c) A private key that is unique to an individual and that is used to authenticate or sign an electronic record.

(d) An individual’s financial account number or credit or debit card number in combination with any required security code, access code or password that would allow access to the individual’s financial account.

(e) An individual’s health insurance identification number.

(f) Information about an individual’s medical or mental health treatment or diagnosis by a health care professional.

(g) An individual’s passport number.

(h) An individual’s taxpayer identification number or an identity protection personal identification number issued by the United States internal revenue service.

(i) Unique biometric data generated from a measurement or analysis of human body characteristics to authenticate an individual when the individual accesses an online account.

You might also enjoy

Foundry Legal is a law practice.  We primarily focus on data privacy, emerging technology companies and social impact organizations, and capital formation through private securities offerings and strategic investments/acquisitions. 

Occasionally we will find an issue that really, really goes against something we stand for and when that happens we won’t hestitate to get involved.  

The firm serves clients across a range of industries, including new agriculture, financial institutions, aerospace, and professional services.  We are in Denver, Colorado.  Other stuff about us

Other Thoughts on Things


Blockchain and Fintech

At the intersection of governance, data security, payments and financial services, and securities regulation lies the blockchain industry. Luckily for our clients, these topics are


Privacy and Data Security

As the regulation of how businesses use, store, and transmit data becomes more complex, companies and executives must navigate between state-specific and industry-level privacy and

commercial contracts

Founder Disputes & Business Divorces

One of the most overlooked and under-appreciated aspect of starting a business with other people is the human relationship. Like in any partnership, there is